Limit reads in do_b2i_bio()
Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.
Thanks to Shi Lei for reporting this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 66bcba1457
)
This commit is contained in:
parent
e36f27ddb8
commit
b552f32dcb
1 changed files with 7 additions and 0 deletions
|
@ -127,6 +127,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
|
|||
# define MS_KEYTYPE_KEYX 0x1
|
||||
# define MS_KEYTYPE_SIGN 0x2
|
||||
|
||||
/* Maximum length of a blob after header */
|
||||
# define BLOB_MAX_LENGTH 102400
|
||||
|
||||
/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
|
||||
# define MS_PVKMAGIC 0xb0b5f11eL
|
||||
/* Salt length for PVK files */
|
||||
|
@ -272,6 +275,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
|
|||
return NULL;
|
||||
|
||||
length = blob_length(bitlen, isdss, ispub);
|
||||
if (length > BLOB_MAX_LENGTH) {
|
||||
PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG);
|
||||
return NULL;
|
||||
}
|
||||
buf = OPENSSL_malloc(length);
|
||||
if (!buf) {
|
||||
PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
|
||||
|
|
Loading…
Reference in a new issue